For Savings and Cybersecurity, End No-Bid Contracting

From bloated overhead to cost overruns, the bar for excellence is set extraordinarily low in Washington, D.C. As can be seen from deliberations over the $1.2 trillion omnibus bill, lawmakers from both parties have little discipline in reining in spending. Traditional cost estimates of federal undertakings, however, often fail to take into account the woeful state of cybersecurity. Compounding this problem is the scourge of no-bid contracts and their propensity to bilk taxpayers and leave federal agencies vulnerable.

The government has a demonstrably terrible record on cybersecurity, scoring below virtually every private industry in a 2016 study by SecurityScorecard. And, as the latestFederal Information Technology Acquisition Reform Act scorecard shows, federal agencies are failing to beef up their cybersecurity. Six agencies slid in their ratings, while only three improved and fifteen stayed the same.

Strangely, though, private contractors seem to perform just as poorly—or worse—as their public counterparts. Last month, security rankings firm BitSight released a cybersecurity scorecard comparing public agencies with federal contractors, and found that agencies actually tend to score better than their private counterparts on average.

Alarmingly, over 40 percent of contractors scored a “D” or “F” for Protective Technology countermeasures laid out by the National Institute of Standards and Technology (“NIST”) Cybersecurity Framework. Now, comparing public agencies and contractors is not exactly fair. Private companies doing business with the federal government are often expected to manage and safeguard sensitive information on citizens that is often targeted by hackers.

Still, the relatively poor performance by private firms seems strange, especially considering earlier findings by SecurityScorecard. But private contractors are unlike other companies in important ways. In particular, many benefit from “no-bid,” or non-competitive, contracts awarded by the federal government. At many agencies, no-bid contracts have become commonplace, as leaders cite the “public interest” in evaluating multiple bids.

The share of Pentagon contract spending awarded competitively has steadily declined over the past decade, driven by no-bid proliferation in areas such as human resources and Special Operations Command. In fiscal year 2017, more than half of Defense Department procurement spending — totaling more than $100 billion — was on noncompetitive contracts. Now, as the Pentagon has secured more money via the current budgeting process, there will be less incentive to spend funds wisely and the share of competitive spending will likely drop even further.

This lack of competition gives awardees little incentive to improve their operations, giving rise to deficient operations normally expected from a government agency. In June, 2017, Secretary of Veterans Affairs David Shulkin awarded a multi-billion dollar no-bid contract to Cerner to install a new electronic health record system for the agency. The award, which came despite a troubling track record of software glitchesand data breaches by the company, has hit a series of bumps that threaten taxpayers and health care customers. With little explanation, the cost of the contract spiked 60 percent, and concerns over system “interoperability” mean that implementation may take far longer than originally expected.

To Cerner, and other beneficiaries of no-bid contracts, the message going forward is clear: system breaches, mammoth overruns, and unreliable service will be tolerated in an environment where companies do not have to compete for federal awards. Fortunately, more light is shining on federal contracting than ever before, thanks to the Digital Accountability and Transparency Act (DATA Act) passed in 2014.

Currently, grant and procurement reporting by agencies is still in the pilot phase, and the reporting of awards by some agencies has remained limited. The Government Accountability Office found in November, for instance, that the Department of Defense failed to link budget and award data in submissions to the Treasury. By ensuring that all agencies report all information to the Treasury, Congress can ensure that taxpayers are at least made aware of the types of contracts being made on the public dime.

More information alone will not lead to the demise of no-bid contracting. But consistent data reporting can enable Congress to tie funding to bidding competitiveness benchmarks, and allow watchdog groups to keep up the pressure on agencies that hand out contracts without due diligence.

As Congress gears up to spend even more taxpayer dollars on an array of wasteful and duplicative programs, the least they can do is make sure resulting contracts are fairly awarded. Greater competition can ensure that private contractors mirror their industry counterparts in cybersecurity protection and reliability, saving taxpayers and customers billions of dollars.